Object based permissions for Interface by name

[hballiance]

I've been messing around with object based permissions. Basically I'm trying to restrict certain user/group to certain devices, most filtering is done by "if contains [word]" or "if starts with [word]" for this scenario. It's working well for device, ipam | VRF, virtualization | virtual machine, virtualization and some others.

However, I can't seem to setup constraints for "dcim > interface" properly. At the moment, the user can see the devices I've filtered for in the permissions but not the interfaces under that device. I've tried selecting "dcim > interface" object type under permissions and then tested a bunch of queries under Constraints. I want the user to see the interfaces if it has access to that device.

I've tried using {"device__startswith": "abc"} but that doesn't work. I've also tried {"device": "abc"} but it looks like it expects a device ID rather than a name/string. I've tried bunch of other ones from the list below but I cant get it working right. See screenshot below for what I want to filter for "startswith".

_cabled_as_a, _cabled_as_b, _connected_circuittermination, _connected_circuittermination_id, _connected_interface, _connected_interface_id, _name, cable, cable_id, connection_status, description, device, device_id, enabled, id, ip_addresses, label, lag, lag_id, mac_address, member_interfaces, mgmt_only, mode, mtu, name, tagged_items, tagged_vlans, tags, type, untagged_vlan, untagged_vlan_id

I can get it to filter by name but that ends up filtering for the interface name itself (ex. swp21, swp5 etc.) and not the device name. Any help would be appreciated.

[jeremystretch]

You can reference the fields of related objects by joining them with a double underscore ("dunder"), similar to how you would you dots in Python. In this case, you want to reference the parent device's name field:

{"device__name__startswith": "abc"}

This is analogous to referencing device.name in Python. However, I'll caution that filtering by device name may not scale well: tenant or role assignment would work better. In that case, you'd do something like this:

{"device__device_role__name": "Foo"}

[hballiance]

That I didnt know, working now. Thank you!

[hballiance]

You can reference the fields of related objects by joining them with a double underscore ("dunder"), similar to how you would you dots in Python. In this case, you want to reference the parent device's name field:

{"device__name__startswith": "abc"}

This is analogous to referencing device.name in Python. However, I'll caution that filtering by device name may not scale well: tenant or role assignment would work better. In that case, you'd do something like this:

{"device__device_role__name": "Foo"}

If I apply the same thing to ipam > IP Address, I get an error: Invalid filter for <class 'ipam.models.IPAddress'>: Field 'assigned_object' does not generate an automatic reverse relation and therefore cannot be used for reverse querying. If it is a GenericForeignKey, consider adding a GenericRelation.

[hballiance]

@jeremystretch Could this be related to v2.9.0 changes to the REST API changes? I remember having to modify my Python script for another project a while back because of it.

v2.9.0 changelog:

ipam.IPAddress: Removed interface field; replaced with assigned_object generic foreign key. This may represent either a device interface or a virtual machine interface. Assign an object by setting assigned_object_type and assigned_object_id

[hballiance]

Nevermind, figured it out. Apparently assigned_object needs to be replaced with interface. So instead of the query being {"assigned_object__device__name__icontains": "-abc"}, it becomes {"interface__device__name__icontains": "abc"}

[epcjwen]

Nice!

Hi, can you explain how that works? Interface isn't one of the IPAddress object methods as it was removed in v2.9+ as you have pointed out from the changelog

[hballiance]

Can you explain a bit more?

[epcjwen]

OK, I made a mistake with my previous comment. The interface method exists, but the subsequent device doesn't? I'm running
version 2.9.8.

>> ip1 = IPAddress.objects.all()[0]
>> type(ip1)
<class 'ipam.models.IPAddress'>
>>> ip1.interface
<django.db.models.fields.related_descriptors.create_reverse_many_to_one_manager.<locals>.RelatedManager object at 0x7fbcbcb385b0>
>>> ip1.interface.device
Traceback (most recent call last):
  File "<console>", line 1, in <module>
AttributeError: 'RelatedManager' object has no attribute 'device'

Isn't { "interface__device__name__icontains": "abc" } a json format of interface.device.name ?

[hballiance]

Yeah, {"interface__device__name__icontains": "abc"} works for me. You are filtering under the ipam | IP address model, correct?

[epcjwen]

That's right, filtering by ipam | IP Address. {"interface__device__name__icontains": "abc"} This also work for me, but I'm trying to understand why it worked given the output I got from the nbshell suggest otherwise.